Since the creation of the Internet, passwords have been the primary authentication factor for accessing online accounts. Yubico’s recent Global State of Authentication survey of 20,000 employees found that 58% still use a username and password to log into their personal accounts, and 54% use this method of login to access their professional accounts.
And this, even though today 80% of violations result from theft of login credentials following attacks such as phishing. For this reason, passwords are widely considered by security experts to be the least secure method of authentication that leaves individuals, organizations, and their employees around the world vulnerable to increasingly sophisticated modern cyberattacks like phishing.
In fact, even passwords considered “strong” by websites – meaning they contain more than a dozen characters including upper and lower case letters, numbers and symbols – can always be easily guessed or stolen by malicious actors. Once they obtain the password, they can then bypass all existing multi-factor authentication (MFA) systems and easily access individuals’ personal data. Combined with the fact that people tend to reuse passwords across multiple accounts – giving hackers the ability to hack multiple accounts with a single login – it becomes abundantly clear that passwords as a method of authentication are flawed and extremely insecure in many ways.
Surprisingly, there remains a lack of awareness of authentication best practices: according to the same Yubico survey, 39% of individuals believe that a username and password is the most secure form of authentication, while 37% consider single-use mobile SMS access codes (OTP). ) the most secure authentication method. Although any form of MFA is preferable to simply relying on a password, it is important to recognize that not all methods of MFA provide the same level of security. Traditional MFA techniques, including SMS-based OTPs and mobile authentication apps, have significant vulnerabilities, with cybercriminals displaying an ability to easily circumvent them through phishing attacks.
As individuals and organizations become more aware of the cyber risks associated with passwords and legacy MFA, businesses have begun to abandon outdated authentication methods and move toward more advanced technologies. strong and more cyber-resilient, in the form of phishing-resistant passwordless solutions, such as passkeys. .
Regional Director UK & Ireland at Yubico.
A passwordless future with passwords
Understanding the risks associated with passwords, organizations and individuals around the world are looking for a solution that provides enhanced security and a better user experience. Access keys have taken the world by storm as the de facto authentication solution in apps and websites to replace passwords, helping individuals and businesses achieve this easily. Access keys seamlessly authenticate users using cryptographic security “keys” stored on their computer or device. They are considered a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen or intercepted.
As passwordless FIDO credentials, passwords provide phishing resistance and accelerate the abandonment of problematic passwords that are easily breached. Access keys are used to log into applications and services efficiently and securely, improving both productivity and online security. For example, access keys require verification of ownership as well as physical presence of the user during the login process, effectively protecting them from interception or theft by remote cybercriminals.
Beyond enhanced security, accessibility is also significantly improved through the use of a password – highlighted by two different forms of password options: Authentication protocols can be stored in the cloud (synchronized passkey) or on a device as a hardware security key (device-linked passkey). ).Then it is then effortlessly exchanged upon login via a swipe, tap, tap or biometric gesture.
From a security perspective, password login makes it much more difficult for credentials to be exploited and unauthorized access by malicious actors because it uses public key cryptography based on mathematical principles . They can also be conveniently and securely stored on hardware security keys, which provides a higher level of security as it prevents the password from being copied or shared across the cloud and other devices. However, each passkey option brings different benefits – and it’s important to understand which type of passkey best suits your situation and threat model.
The Right Password Strategy for You
First, it’s important to establish the difference between synced and device-bound passkeys. Synchronized access keys are primarily designed for broad use by consumers rather than businesses, and are stored in the cloud. This means that credentials can be copied across all devices connected to a user’s account. For individuals and families sharing devices and accounts, this can be a huge benefit. However, for organizations, this can create worrying failure points and reveal major vulnerabilities in key business scenarios such as remote working and supply chain security.
Device-linked passkeys provide greater ease of management and control over their FIDO credentials than synced passkeys, making them better suited for security-savvy, high-risk individuals , as well as businesses. Device-bound means that authentication must come from a particular piece of hardware separate from everyday devices, where the access key cannot be copied or shared. Despite the lack of flexibility linked to the requirement to register each device separately, these solutions offer a better guarantee of security, because the only method of authentication is to have a specific device previously registered.
However, even among device-related password options, there are important differences: some options are found in general-purpose devices like smartphones and laptops, and others reside in security keys hardware, recognized as offering the highest security assurance. Hardware security keys provide organizations with reliable credential lifecycle management and the evidence needed to validate the security of their credentials, ensuring businesses achieve optimal security and remain compliant with the strictest requirements of different sectors.
When it comes to cybersecurity, it’s imperative to strike a balance between accessibility and security – and the same is true when it comes to access keys. Businesses should opt for a password solution that offers both security and convenience. The solution is expected to improve the security of online accounts and sensitive data, as well as protect users and the organization as a whole against phishing and unauthorized access, while allowing employees to enjoy a seamless login experience .
As we navigate an ever-changing cybersecurity landscape, the integration of passwordless authentication, including through the widespread implementation of passwords, will prove instrumental in protecting our digital identities and securing systems and services that are an integral part of our daily lives.
We have presented the best protection against identity theft.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you’re interested in contributing, find out more here:
